Re: central usermanagement

To: debian-user@lists.debian.org
Subject: Re: central usermanagement
From: David Z Maze <dmaze@debian.org>
Date: Thu, 29 Aug 2002 20:14:44 -0400
Message-id: <[🔎] y68znv5i4nf.fsf@cutter-john.mit.edu>
In-reply-to: <[🔎] 020501c24f49$658d4840$6501a8c0@water> ("daniel meier"'s message of "Thu, 29 Aug 2002 12:46:56 +0200")
References: <[🔎] 020501c24f49$658d4840$6501a8c0@water>

"daniel meier" <maillist@krims.ch> writes:
> i'm just thinking about a kind of central user management. i'm a newbie
> central usermanagement on linux. as far as i could find out there are 
> two possibilities kerberos and pam.

Kerberos and PAM are two completely different things, well, mostly.
PAM stands for Pluggable Authentication Modules, and it gives a
generic way for services to get authentication information and do
things like verify passwords.  Kerberos is a somewhat complex system
that also authenticates users to services.  There are PAM modules that
do Kerberos; a given service can also be written to use Kerberos
directly, or use a layer like GSSAPI or SASL for its network
communications.

> I'd like to use this for:
>
> ftp (proftp)
> www
> exim-smtp
> courier
> samba

I can speak to some of these services, though not all.  MIT's Athena
system is heavily built upon Kerberos (and basically not at all upon
PAM; notably, per-user local logins use a modified login binary rather
than PAM modules).  This works well with the AFS networked file system
(replaces samba); there is also a Kerberized version of ssh (in
Debian, in the ssh-krb5 package), which also provides Kerberized scp.
MIT uses a modified version of some some standard MTA (I don't
actually know which) to provide Kerberized POP and IMAP; I don't think
the patches are readily available.

Some of these services, notably Web and SMTP service, really don't
lend themselves to any sort of authentication system.  There's
Kerberized FTP with the MIT krb5 distribution, but nobody really seems
to recommend it; Kerberized scp is generally preferred.  I suspect
you'll have issues using any sort of sane authentication against samba.

> for my needs (small company - 25 users) - I need a simple but powerfull
> solution. I thought of using postgres with pam.

Well, the big problem that Kerberos tries to avoid is sending
passwords across the network in the clear.  Using a centralized
postgres server or something similar for password distribution
probably gives you at best md5-crypted passwords sent across the
network, which are still subject to sniffing and subsequent dictionary
attacks.

This having been said, most of the world doesn't care about this.
Distributing passwords and login information via NIS or LDAP seems
popular, as does using NFS as a primary network filesystem.  How
paranoid are you, and how paranoid will you be?

> 2.) is pam included in the binary-build-package of exim (woody).

"That question doesn't make sense."  Where would a user type a
password at exim?  What access would it authenticate for?

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- central usermanagement
  - From: "daniel meier" <maillist@krims.ch>

Prev by Date: Re: User Unknowns .. If user is a number with Sendmail + Procmail
Next by Date: Re: [Fwd: Re: Newbie Needs help w/ Local eth network]
Previous by thread: central usermanagement
Next by thread: DEC tulip ethernet driver problem
Index(es):
- Date
- Thread